fix: stop writing config keys that OpenClaw's schema rejects

The hardener was writing exec.approvals, exec.autoApprove, sandbox.mode,
and gateway.mdns.mode to openclaw.json. These keys are not recognized by
OpenClaw's runtime config schema, causing "Invalid config" errors that
prevent the plugin from loading.

Now the hardener only writes valid keys (tools.exec.host, session.dmScope,
logging.redactSensitive, gateway.*) and strips any invalid keys already
present. The affected audit findings (SC-EXEC-001, SC-EXEC-003, SC-GW-007)
are marked as non-auto-fixable with manual remediation instructions.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: adversa-ai

secureclaw/src/auditor.ts

@@ -338,8 +338,8 @@ export async function auditGateway(ctx: AuditContext, deep = false): Promise<Aud
       title: 'mDNS broadcasting in full mode',
       description: 'mDNS is broadcasting sensitive instance information on the local network.',
       evidence: `gateway.mdns.mode = "${gw.mdns.mode}"`,
-      remediation: 'Set gateway.mdns.mode to "minimal"',
-      autoFixable: true,
+      remediation: 'Manually set gateway.mdns.mode to "minimal" (not auto-fixable — key not in OpenClaw config schema)',
+      autoFixable: false,
       references: [],
       owaspAsi: 'ASI05',
     });
@@ -640,8 +640,8 @@ export async function auditExecution(ctx: AuditContext): Promise<AuditFinding[]>
       title: 'Execution approvals disabled',
       description: 'exec.approvals is set to "off". The agent can execute arbitrary commands without user confirmation.',
       evidence: 'exec.approvals = "off"',
-      remediation: 'Set exec.approvals to "always" in openclaw.json',
-      autoFixable: true,
+      remediation: 'Manually set exec.approvals to "always" in your OpenClaw settings (not auto-fixable — key not in OpenClaw config schema)',
+      autoFixable: false,
       references: ['CVE-2026-25253'],
       owaspAsi: 'ASI02',
     });
@@ -672,8 +672,8 @@ export async function auditExecution(ctx: AuditContext): Promise<AuditFinding[]>
       title: 'Sandbox mode not set to "all"',
       description: `Sandbox mode is "${ctx.config.sandbox?.mode ?? 'undefined'}". Not all commands run in a sandboxed environment.`,
       evidence: `sandbox.mode = "${ctx.config.sandbox?.mode ?? 'undefined'}"`,
-      remediation: 'Set sandbox.mode to "all" in openclaw.json',
-      autoFixable: true,
+      remediation: 'Manually set sandbox.mode to "all" in your OpenClaw settings (not auto-fixable — key not in OpenClaw config schema)',
+      autoFixable: false,
       references: [],
       owaspAsi: 'ASI05',
     });

secureclaw/src/hardener.test.ts

@@ -73,10 +73,13 @@ describe('hardener', () => {
     const result = await harden({ full: true, context: ctx });
     expect(result.results.length).toBeGreaterThan(0);
 
-    // Check that config was updated
+    // Check that config was updated with valid OpenClaw keys
     const updated = JSON.parse(await fs.readFile(configPath, 'utf-8'));
     expect(updated.gateway.bind).toBe('loopback');
-    expect(updated.exec.approvals).toBe('always');
+    expect(updated.tools.exec.host).toBe('sandbox');
+    // exec and sandbox keys should be stripped (not valid in OpenClaw schema)
+    expect(updated.exec).toBeUndefined();
+    expect(updated.sandbox).toBeUndefined();
   });
 
   it('writes a manifest file', async () => {

secureclaw/src/hardening/config-hardening.test.ts

@@ -41,26 +41,28 @@ describe('config-hardening', () => {
     };
   }
 
-  it('sets exec.approvals to always', async () => {
+  it('does NOT write exec.approvals (not in OpenClaw schema)', async () => {
     const configPath = path.join(tmpDir, 'openclaw.json');
     await fs.writeFile(configPath, JSON.stringify({ exec: { approvals: 'off' } }), 'utf-8');
 
     const ctx = makeCtx({ exec: { approvals: 'off' } });
     await configHardening.fix(ctx, backupDir);
 
     const updated = JSON.parse(await fs.readFile(configPath, 'utf-8'));
-    expect(updated.exec.approvals).toBe('always');
+    // exec key should not be created/modified by the hardener
+    expect(updated.exec).toBeUndefined();
   });
 
-  it('sets sandbox.mode to all', async () => {
+  it('does NOT write sandbox.mode (not in OpenClaw schema)', async () => {
     const configPath = path.join(tmpDir, 'openclaw.json');
     await fs.writeFile(configPath, JSON.stringify({ sandbox: { mode: 'off' } }), 'utf-8');
 
     const ctx = makeCtx({ sandbox: { mode: 'off' } });
     await configHardening.fix(ctx, backupDir);
 
     const updated = JSON.parse(await fs.readFile(configPath, 'utf-8'));
-    expect(updated.sandbox.mode).toBe('all');
+    // sandbox key should not be created/modified by the hardener
+    expect(updated.sandbox).toBeUndefined();
   });
 
   it('sets tools.exec.host to sandbox', async () => {
@@ -96,25 +98,42 @@ describe('config-hardening', () => {
     expect(updated.logging.redactSensitive).toBe('tools');
   });
 
-  it('clears autoApprove list', async () => {
+  it('does NOT write exec.autoApprove (not in OpenClaw schema)', async () => {
     const configPath = path.join(tmpDir, 'openclaw.json');
     await fs.writeFile(configPath, JSON.stringify({ exec: { autoApprove: ['ls', 'cat'] } }), 'utf-8');
 
     const ctx = makeCtx({ exec: { autoApprove: ['ls', 'cat'] } });
     await configHardening.fix(ctx, backupDir);
 
     const updated = JSON.parse(await fs.readFile(configPath, 'utf-8'));
-    expect(updated.exec.autoApprove).toEqual([]);
+    // exec key should not be created/modified by the hardener
+    expect(updated.exec).toBeUndefined();
   });
 
   it('creates backup before changes', async () => {
     const configPath = path.join(tmpDir, 'openclaw.json');
-    await fs.writeFile(configPath, JSON.stringify({ exec: { approvals: 'off' } }), 'utf-8');
+    await fs.writeFile(configPath, JSON.stringify({ tools: { exec: { host: 'gateway' } } }), 'utf-8');
 
-    const ctx = makeCtx({ exec: { approvals: 'off' } });
+    const ctx = makeCtx({ tools: { exec: { host: 'gateway' } } });
     await configHardening.fix(ctx, backupDir);
 
     const backupExists = await fs.access(path.join(backupDir, 'openclaw-config.json')).then(() => true).catch(() => false);
     expect(backupExists).toBe(true);
   });
+
+  it('check() reports exec.approvals=off as non-auto-fixable', async () => {
+    const ctx = makeCtx({ exec: { approvals: 'off' } });
+    const findings = await configHardening.check(ctx);
+    const finding = findings.find(f => f.id === 'SC-EXEC-001');
+    expect(finding).toBeDefined();
+    expect(finding!.autoFixable).toBe(false);
+  });
+
+  it('check() reports sandbox.mode as non-auto-fixable', async () => {
+    const ctx = makeCtx({ sandbox: { mode: 'off' } });
+    const findings = await configHardening.check(ctx);
+    const finding = findings.find(f => f.id === 'SC-EXEC-003');
+    expect(finding).toBeDefined();
+    expect(finding!.autoFixable).toBe(false);
+  });
 });

secureclaw/src/hardening/config-hardening.ts

@@ -37,10 +37,10 @@ export const configHardening: HardeningModule = {
         severity: 'CRITICAL',
         category: 'execution',
         title: 'Execution approvals disabled',
-        description: 'Will set exec.approvals to "always".',
+        description: 'Execution approvals are disabled. This allows commands to run without user confirmation.',
         evidence: 'exec.approvals = "off"',
-        remediation: 'Set exec.approvals to "always"',
-        autoFixable: true,
+        remediation: 'Manually set exec.approvals to "always" in your OpenClaw settings (not auto-fixable — key not in OpenClaw config schema)',
+        autoFixable: false,
         references: [],
         owaspAsi: 'ASI02',
       });
@@ -52,10 +52,10 @@ export const configHardening: HardeningModule = {
         severity: 'MEDIUM',
         category: 'execution',
         title: 'Sandbox not set to all',
-        description: 'Will set sandbox.mode to "all".',
+        description: 'Sandbox mode is not set to "all". Not all commands run in a sandboxed environment.',
         evidence: `sandbox.mode = "${ctx.config.sandbox?.mode ?? 'undefined'}"`,
-        remediation: 'Set sandbox.mode to "all"',
-        autoFixable: true,
+        remediation: 'Manually set sandbox.mode to "all" in your OpenClaw settings (not auto-fixable — key not in OpenClaw config schema)',
+        autoFixable: false,
         references: [],
         owaspAsi: 'ASI05',
       });
@@ -98,32 +98,12 @@ export const configHardening: HardeningModule = {
 
       const config = await readConfig(ctx.stateDir);
 
-      // 1. Enable approval mode
-      if (!config.exec) config.exec = {};
-      const oldApprovals = config.exec.approvals;
-      if (oldApprovals !== 'always') {
-        config.exec.approvals = 'always';
-        applied.push({
-          id: 'config-approvals',
-          description: 'Set exec.approvals to "always"',
-          before: oldApprovals ?? 'undefined',
-          after: 'always',
-        });
-      }
-
-      // 2. Force sandbox execution
-      if (!config.sandbox) config.sandbox = {};
-      const oldSandboxMode = config.sandbox.mode;
-      if (oldSandboxMode !== 'all') {
-        config.sandbox.mode = 'all';
-        applied.push({
-          id: 'config-sandbox-mode',
-          description: 'Set sandbox.mode to "all"',
-          before: oldSandboxMode ?? 'undefined',
-          after: 'all',
-        });
-      }
+      // NOTE: We only write keys that OpenClaw's runtime schema accepts.
+      // Keys like exec.approvals, exec.autoApprove, sandbox.mode are NOT
+      // valid in OpenClaw's config and would cause "Invalid config" errors.
+      // Those settings are reported as audit findings with manual remediation.
 
+      // 1. Set tools.exec.host to sandbox (valid OpenClaw key)
       if (!config.tools) config.tools = {};
       if (!config.tools.exec) config.tools.exec = {};
       const oldExecHost = config.tools.exec.host;
@@ -137,23 +117,7 @@ export const configHardening: HardeningModule = {
         });
       }
 
-      // 3. Disable auto-approval
-      if (!config.exec.autoApprove || config.exec.autoApprove.length > 0) {
-        config.exec.autoApprove = [];
-        applied.push({
-          id: 'config-auto-approve',
-          description: 'Cleared exec.autoApprove list',
-          before: 'had auto-approved commands',
-          after: '[] (nothing auto-approved)',
-        });
-      }
-
-      // 4. Set DM policy to pairing for open channels
-      // Note: Channel configs are typically separate but we handle them via the main config
-      // In a real deployment, each channel has its own config.
-      // We'll store the fix intent in secureclaw config.
-
-      // 5. Enable DM session isolation
+      // 2. Enable DM session isolation (valid OpenClaw key)
       if (!config.session) config.session = {};
       const oldDmScope = config.session.dmScope;
       if (oldDmScope !== 'per-channel-peer') {
@@ -166,7 +130,7 @@ export const configHardening: HardeningModule = {
         });
       }
 
-      // 6. Enable sensitive log redaction
+      // 3. Enable sensitive log redaction (valid OpenClaw key)
       if (!config.logging) config.logging = {};
       const oldRedact = config.logging.redactSensitive;
       if (oldRedact !== 'tools') {
@@ -179,6 +143,28 @@ export const configHardening: HardeningModule = {
         });
       }
 
+      // 4. Strip keys that are NOT in OpenClaw's config schema to avoid
+      //    "Invalid config" / "Unrecognized key" errors on startup.
+      const configAny = config as Record<string, unknown>;
+      if (configAny['exec']) {
+        delete configAny['exec'];
+        applied.push({
+          id: 'config-strip-exec',
+          description: 'Removed invalid root-level "exec" key (not in OpenClaw schema)',
+          before: 'present',
+          after: 'removed',
+        });
+      }
+      if (configAny['sandbox']) {
+        delete configAny['sandbox'];
+        applied.push({
+          id: 'config-strip-sandbox',
+          description: 'Removed invalid root-level "sandbox" key (not in OpenClaw schema)',
+          before: 'present',
+          after: 'removed',
+        });
+      }
+
       await writeConfig(ctx.stateDir, config);
     } catch (err) {
       errors.push(`Config hardening error: ${err instanceof Error ? err.message : String(err)}`);

secureclaw/src/hardening/gateway-hardening.test.ts

@@ -96,13 +96,12 @@ describe('gateway-hardening', () => {
     expect(updatedConfig.gateway.controlUi.allowInsecureAuth).toBe(false);
   });
 
-  it('fix() is idempotent', async () => {
+  it('fix() is idempotent when config already hardened', async () => {
     const configPath = path.join(tmpDir, 'openclaw.json');
     await fs.writeFile(configPath, JSON.stringify({
       gateway: {
         bind: 'loopback',
         auth: { mode: 'password', password: 'a'.repeat(64) },
-        mdns: { mode: 'minimal' },
         controlUi: { dangerouslyDisableDeviceAuth: false, allowInsecureAuth: false },
         trustedProxies: [],
       },
@@ -112,7 +111,6 @@ describe('gateway-hardening', () => {
       gateway: {
         bind: 'loopback',
         auth: { mode: 'password', password: 'a'.repeat(64) },
-        mdns: { mode: 'minimal' },
         controlUi: { dangerouslyDisableDeviceAuth: false, allowInsecureAuth: false },
         trustedProxies: [],
       },
@@ -123,4 +121,36 @@ describe('gateway-hardening', () => {
     const result = await gatewayHardening.fix(ctx, backupDir2);
     expect(result.applied).toHaveLength(0);
   });
+
+  it('fix() strips gateway.mdns key (not in OpenClaw schema)', async () => {
+    const configPath = path.join(tmpDir, 'openclaw.json');
+    await fs.writeFile(configPath, JSON.stringify({
+      gateway: {
+        bind: 'loopback',
+        auth: { mode: 'password', password: 'a'.repeat(64) },
+        mdns: { mode: 'full' },
+        controlUi: {},
+        trustedProxies: [],
+      },
+    }), 'utf-8');
+
+    const ctx = makeCtx({
+      gateway: {
+        bind: 'loopback',
+        auth: { mode: 'password', password: 'a'.repeat(64) },
+        mdns: { mode: 'full' },
+        controlUi: {},
+        trustedProxies: [],
+      },
+    });
+
+    const backupDir2 = path.join(tmpDir, 'backup2');
+    await fs.mkdir(backupDir2, { recursive: true });
+    const result = await gatewayHardening.fix(ctx, backupDir2);
+
+    // mdns key should be stripped
+    const updated = JSON.parse(await fs.readFile(configPath, 'utf-8'));
+    expect(updated.gateway.mdns).toBeUndefined();
+    expect(result.applied.some(a => a.id === 'gw-strip-mdns')).toBe(true);
+  });
 });

secureclaw/src/hardening/gateway-hardening.ts

@@ -116,10 +116,10 @@ export const gatewayHardening: HardeningModule = {
         severity: 'MEDIUM',
         category: 'gateway',
         title: 'mDNS in full mode',
-        description: 'Will set mDNS to minimal mode.',
+        description: 'mDNS is broadcasting in full mode, exposing service information to the local network.',
         evidence: `mdns.mode = "${gw.mdns.mode}"`,
-        remediation: 'Will set to "minimal"',
-        autoFixable: true,
+        remediation: 'Manually set gateway.mdns.mode to "minimal" (not auto-fixable — key not in OpenClaw config schema)',
+        autoFixable: false,
         references: [],
         owaspAsi: 'ASI05',
       });
@@ -206,16 +206,16 @@ export const gatewayHardening: HardeningModule = {
         });
       }
 
-      // 4. Set mDNS to minimal
-      if (!config.gateway.mdns) config.gateway.mdns = {};
-      const oldMdns = config.gateway.mdns.mode;
-      if (oldMdns !== 'minimal') {
-        config.gateway.mdns.mode = 'minimal';
+      // 4. Strip gateway.mdns — NOT a valid OpenClaw config key.
+      // mDNS findings are reported as non-auto-fixable in the auditor.
+      if (config.gateway.mdns) {
+        const gwAny = config.gateway as Record<string, unknown>;
+        delete gwAny['mdns'];
         applied.push({
-          id: 'gw-mdns',
-          description: 'Set mDNS to minimal mode',
-          before: oldMdns ?? 'undefined',
-          after: 'minimal',
+          id: 'gw-strip-mdns',
+          description: 'Removed invalid "gateway.mdns" key (not in OpenClaw schema)',
+          before: 'present',
+          after: 'removed',
         });
       }
 

secureclaw/src/integration.test.ts

@@ -309,11 +309,14 @@ describe('SecureClaw Integration', { timeout: 30000 }, () => {
       expect(updated.gateway.bind).toBe('loopback');
       expect(updated.gateway.auth.mode).toBe('password');
       expect(updated.gateway.auth.password.length).toBeGreaterThanOrEqual(64);
-      expect(updated.exec.approvals).toBe('always');
-      expect(updated.sandbox.mode).toBe('all');
+      expect(updated.tools.exec.host).toBe('sandbox');
+      // exec, sandbox, and gateway.mdns are NOT valid OpenClaw config keys
+      // The hardener strips them to avoid "Invalid config" errors
+      expect(updated.exec).toBeUndefined();
+      expect(updated.sandbox).toBeUndefined();
+      expect(updated.gateway.mdns).toBeUndefined();
       expect(updated.gateway.controlUi.dangerouslyDisableDeviceAuth).toBe(false);
       expect(updated.gateway.controlUi.allowInsecureAuth).toBe(false);
-      expect(updated.gateway.mdns.mode).toBe('minimal');
     });
 
     it('creates encrypted .env.enc file', async () => {